purelogstealer | f5a8adbb37ce76781117aad88c8c4c9e2b8d7bdd3c3378afdb7dc37c66134b59

Analysis

max time kernel
9s
max time network
59s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21-06-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sync_spoofer.exe
Size

6.8MB
MD5

7a09738f8033d766e8b03463389f0e20
SHA1

b453feaf2a393f9cb7a81804594bc0d8ddcff48d
SHA256

f5a8adbb37ce76781117aad88c8c4c9e2b8d7bdd3c3378afdb7dc37c66134b59
SHA512

6acb6043716df9c01e9a9e73963d361e4cef1608fdfd10217d1d8ed3d9ff4ca44cf5f1dbbe4f2ffd1a8de9ae71eeee0171a8cf341ce8c2085e2e40123830ad7d
SSDEEP

98304:3J86VheatbLbVVjFuvsw6TUSf47SbICvdH89fL8JaeCl9Kaw8TPObUPma9/l7i:3W6VhjFCzXSs09X789KaeQtW

Score

10^/10

purelogstealer evasion execution persistence stealer

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	1252	schtasks.exe

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exe	family_purelog_stealer
behavioral1/memory/920-13-0x00000000002A0000-0x0000000000378000-memory.dmp	family_purelog_stealer

Nirsoft 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe Nirsoft
C:\ProgramData\Microsoft\Windows\DevManView.exe Nirsoft
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1152 powershell.exe
4312 powershell.exe
3372 powershell.exe
2396 powershell.exe
4628 powershell.exe
592 powershell.exe
3876 powershell.exe
3000 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

resource	yara_rule
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe	Nirsoft
C:\ProgramData\Microsoft\Windows\DevManView.exe	Nirsoft

pid	process
1152	powershell.exe
4312	powershell.exe
3372	powershell.exe
2396	powershell.exe
4628	powershell.exe
592	powershell.exe
3876	powershell.exe
3000	powershell.exe

Executes dropped EXE 19 IoCs

Processes:

HpsrSpoof.exesp_componentbrowserFontDriverPerf.execonhost_sft.exeVolumeid64.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

pid	process
4024	HpsrSpoof.exe
920	sp_componentbrowserFontDriverPerf.exe
976	conhost_sft.exe
1240	Volumeid64.exe
200	DevManView.exe
4432	DevManView.exe
4056	DevManView.exe
4928	DevManView.exe
308	DevManView.exe
196	DevManView.exe
908	DevManView.exe
208	DevManView.exe
2292	DevManView.exe
2824	DevManView.exe
356	DevManView.exe
3304	DevManView.exe
4568	DevManView.exe
3184	DevManView.exe
4284	DevManView.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

description	ioc	process
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

5 pastebin.com
6 pastebin.com
7 pastebin.com
2 pastebin.com
3 pastebin.com

flow	ioc
5	pastebin.com
6	pastebin.com
7	pastebin.com
2	pastebin.com
3	pastebin.com

Maps connected drives based on registry 3 TTPs 53 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe

Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.execmd.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

2964 powercfg.exe
1372 cmd.exe
2952 powercfg.exe
4944 powercfg.exe
356 powercfg.exe
4572 cmd.exe
984 powercfg.exe
1176 powercfg.exe
2200 powercfg.exe
5056 powercfg.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

sync_spoofer.exe

pid process

4300 sync_spoofer.exe

pid	process
2964	powercfg.exe
1372	cmd.exe
2952	powercfg.exe
4944	powercfg.exe
356	powercfg.exe
4572	cmd.exe
984	powercfg.exe
1176	powercfg.exe
2200	powercfg.exe
5056	powercfg.exe

pid	process
4300	sync_spoofer.exe

Drops file in Program Files directory 3 IoCs

Processes:

sp_componentbrowserFontDriverPerf.exe

description	ioc	process
File created	C:\Program Files\Windows Portable Devices\fontdrvhost.exe	sp_componentbrowserFontDriverPerf.exe
File opened for modification	C:\Program Files\Windows Portable Devices\fontdrvhost.exe	sp_componentbrowserFontDriverPerf.exe
File created	C:\Program Files\Windows Portable Devices\5b884080fd4f94	sp_componentbrowserFontDriverPerf.exe

Drops file in Windows directory 3 IoCs

Processes:

sp_componentbrowserFontDriverPerf.exeDevManView.exe

description	ioc	process
File created	C:\Windows\TAPI\69ddcba757bf72	sp_componentbrowserFontDriverPerf.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe
File created	C:\Windows\TAPI\smss.exe	sp_componentbrowserFontDriverPerf.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3536 sc.exe
4164 sc.exe
5028 sc.exe
620 sc.exe
4060 sc.exe
4020 sc.exe
3292 sc.exe
404 sc.exe
2880 sc.exe
780 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3536	sc.exe
4164	sc.exe
5028	sc.exe
620	sc.exe
4060	sc.exe
4020	sc.exe
3292	sc.exe
404	sc.exe
2880	sc.exe
780	sc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Control	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	DevManView.exe

Modifies registry class 1 IoCs

Processes:

sp_componentbrowserFontDriverPerf.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings sp_componentbrowserFontDriverPerf.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2696 PING.EXE
824 PING.EXE
208 PING.EXE
360 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	sp_componentbrowserFontDriverPerf.exe

pid	process
2696	PING.EXE
824	PING.EXE
208	PING.EXE
360	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4252	schtasks.exe
4288	schtasks.exe
3184	schtasks.exe
2956	schtasks.exe
4900	schtasks.exe
3220	schtasks.exe
1984	schtasks.exe
4524	schtasks.exe
2272	schtasks.exe
3224	schtasks.exe
1384	schtasks.exe
1964	schtasks.exe
2200	schtasks.exe
1160	schtasks.exe
648	schtasks.exe
2920	schtasks.exe
1884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sp_componentbrowserFontDriverPerf.exepowershell.exe

pid	process
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
1152	powershell.exe
1152	powershell.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe
920	sp_componentbrowserFontDriverPerf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sp_componentbrowserFontDriverPerf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	920	sp_componentbrowserFontDriverPerf.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeIncreaseQuotaPrivilege	3372	powershell.exe
Token: SeSecurityPrivilege	3372	powershell.exe
Token: SeTakeOwnershipPrivilege	3372	powershell.exe
Token: SeLoadDriverPrivilege	3372	powershell.exe
Token: SeSystemProfilePrivilege	3372	powershell.exe
Token: SeSystemtimePrivilege	3372	powershell.exe
Token: SeProfSingleProcessPrivilege	3372	powershell.exe
Token: SeIncBasePriorityPrivilege	3372	powershell.exe
Token: SeCreatePagefilePrivilege	3372	powershell.exe
Token: SeBackupPrivilege	3372	powershell.exe
Token: SeRestorePrivilege	3372	powershell.exe
Token: SeShutdownPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeSystemEnvironmentPrivilege	3372	powershell.exe
Token: SeRemoteShutdownPrivilege	3372	powershell.exe
Token: SeUndockPrivilege	3372	powershell.exe
Token: SeManageVolumePrivilege	3372	powershell.exe
Token: 33	3372	powershell.exe
Token: 34	3372	powershell.exe
Token: 35	3372	powershell.exe
Token: 36	3372	powershell.exe
Token: SeIncreaseQuotaPrivilege	4312	powershell.exe
Token: SeSecurityPrivilege	4312	powershell.exe
Token: SeTakeOwnershipPrivilege	4312	powershell.exe
Token: SeLoadDriverPrivilege	4312	powershell.exe
Token: SeSystemProfilePrivilege	4312	powershell.exe
Token: SeSystemtimePrivilege	4312	powershell.exe
Token: SeProfSingleProcessPrivilege	4312	powershell.exe
Token: SeIncBasePriorityPrivilege	4312	powershell.exe
Token: SeCreatePagefilePrivilege	4312	powershell.exe
Token: SeBackupPrivilege	4312	powershell.exe
Token: SeRestorePrivilege	4312	powershell.exe
Token: SeShutdownPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeSystemEnvironmentPrivilege	4312	powershell.exe
Token: SeRemoteShutdownPrivilege	4312	powershell.exe
Token: SeUndockPrivilege	4312	powershell.exe
Token: SeManageVolumePrivilege	4312	powershell.exe
Token: 33	4312	powershell.exe
Token: 34	4312	powershell.exe
Token: 35	4312	powershell.exe
Token: 36	4312	powershell.exe
Token: SeIncreaseQuotaPrivilege	3000	powershell.exe
Token: SeSecurityPrivilege	3000	powershell.exe
Token: SeTakeOwnershipPrivilege	3000	powershell.exe
Token: SeLoadDriverPrivilege	3000	powershell.exe
Token: SeSystemProfilePrivilege	3000	powershell.exe
Token: SeSystemtimePrivilege	3000	powershell.exe
Token: SeProfSingleProcessPrivilege	3000	powershell.exe
Token: SeIncBasePriorityPrivilege	3000	powershell.exe
Token: SeCreatePagefilePrivilege	3000	powershell.exe
Token: SeBackupPrivilege	3000	powershell.exe
Token: SeRestorePrivilege	3000	powershell.exe
Token: SeShutdownPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeSystemEnvironmentPrivilege	3000	powershell.exe
Token: SeRemoteShutdownPrivilege	3000	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sync_spoofer.exe

pid process

4300 sync_spoofer.exe

pid	process
4300	sync_spoofer.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

sync_spoofer.exeHpsrSpoof.execmd.exesp_componentbrowserFontDriverPerf.execmd.execmd.exe

description	pid	process	target process
PID 4300 wrote to memory of 1152	4300	sync_spoofer.exe	powershell.exe
PID 4300 wrote to memory of 1152	4300	sync_spoofer.exe	powershell.exe
PID 4300 wrote to memory of 1152	4300	sync_spoofer.exe	powershell.exe
PID 4300 wrote to memory of 4024	4300	sync_spoofer.exe	HpsrSpoof.exe
PID 4300 wrote to memory of 4024	4300	sync_spoofer.exe	HpsrSpoof.exe
PID 4300 wrote to memory of 920	4300	sync_spoofer.exe	sp_componentbrowserFontDriverPerf.exe
PID 4300 wrote to memory of 920	4300	sync_spoofer.exe	sp_componentbrowserFontDriverPerf.exe
PID 4300 wrote to memory of 976	4300	sync_spoofer.exe	conhost_sft.exe
PID 4300 wrote to memory of 976	4300	sync_spoofer.exe	conhost_sft.exe
PID 4024 wrote to memory of 5096	4024	HpsrSpoof.exe	cmd.exe
PID 4024 wrote to memory of 5096	4024	HpsrSpoof.exe	cmd.exe
PID 5096 wrote to memory of 1240	5096	cmd.exe	Volumeid64.exe
PID 5096 wrote to memory of 1240	5096	cmd.exe	Volumeid64.exe
PID 920 wrote to memory of 3372	920	sp_componentbrowserFontDriverPerf.exe	powershell.exe
PID 920 wrote to memory of 3372	920	sp_componentbrowserFontDriverPerf.exe	powershell.exe
PID 920 wrote to memory of 4312	920	sp_componentbrowserFontDriverPerf.exe	powershell.exe
PID 920 wrote to memory of 4312	920	sp_componentbrowserFontDriverPerf.exe	powershell.exe
PID 920 wrote to memory of 3000	920	sp_componentbrowserFontDriverPerf.exe	powershell.exe
PID 920 wrote to memory of 3000	920	sp_componentbrowserFontDriverPerf.exe	powershell.exe
PID 920 wrote to memory of 3876	920	sp_componentbrowserFontDriverPerf.exe	powershell.exe
PID 920 wrote to memory of 3876	920	sp_componentbrowserFontDriverPerf.exe	powershell.exe
PID 920 wrote to memory of 592	920	sp_componentbrowserFontDriverPerf.exe	powershell.exe
PID 920 wrote to memory of 592	920	sp_componentbrowserFontDriverPerf.exe	powershell.exe
PID 920 wrote to memory of 4068	920	sp_componentbrowserFontDriverPerf.exe	cmd.exe
PID 920 wrote to memory of 4068	920	sp_componentbrowserFontDriverPerf.exe	cmd.exe
PID 4068 wrote to memory of 3172	4068	cmd.exe	chcp.com
PID 4068 wrote to memory of 3172	4068	cmd.exe	chcp.com
PID 4068 wrote to memory of 360	4068	cmd.exe	PING.EXE
PID 4068 wrote to memory of 360	4068	cmd.exe	PING.EXE
PID 4024 wrote to memory of 2876	4024	HpsrSpoof.exe	schtasks.exe
PID 4024 wrote to memory of 2876	4024	HpsrSpoof.exe	schtasks.exe
PID 2876 wrote to memory of 200	2876	cmd.exe	ChromeUpdate.exe
PID 2876 wrote to memory of 200	2876	cmd.exe	ChromeUpdate.exe
PID 2876 wrote to memory of 4432	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 4432	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 4056	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 4056	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 4928	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 4928	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 308	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 308	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 196	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 196	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 908	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 908	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 208	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 208	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 2292	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 2292	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 2824	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 2824	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 356	2876	cmd.exe	powercfg.exe
PID 2876 wrote to memory of 356	2876	cmd.exe	powercfg.exe
PID 2876 wrote to memory of 3304	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 3304	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 4568	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 4568	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 3184	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 3184	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 4284	2876	cmd.exe	DevManView.exe
PID 2876 wrote to memory of 4284	2876	cmd.exe	DevManView.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sync_spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\sync_spoofer.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAcwBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAcQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAbgBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAdwByACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: CA7D-R9TV
3⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: CA7D-R9TV
4⤵
- Executes dropped EXE
PID:1240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:200

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:4432

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:4056

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:4928

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:308

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:196

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:908

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:208

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:2292

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:2824

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:356

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:3304

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:4568

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3184

C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
3⤵
PID:2232

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 12481HP-TRGT7160AB
4⤵
PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
3⤵
PID:4372

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 212481HP-TRGT7160RV
4⤵
PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
3⤵
PID:4588

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 812485HP-TRGT17909SG
4⤵
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
3⤵
PID:868

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
4⤵
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
3⤵
PID:1020

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 512485HP-TRGT17909SL
4⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
3⤵
PID:4904

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 412485HP-TRGT17909FA
4⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
3⤵
PID:4560

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 612485HP-TRGT17909FU
4⤵
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
3⤵
PID:1152

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 312488HP-TRGT28657DQ
4⤵
PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
3⤵
PID:1984

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 712488HP-TRGT28657MST
4⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
3⤵
PID:2964

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
4⤵
PID:1528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
3⤵
PID:4264

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 12504HP-TRGT16863AB
4⤵
PID:1524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
3⤵
PID:1264

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 212504HP-TRGT16863RV
4⤵
PID:4248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
3⤵
PID:4940

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 812504HP-TRGT16863SG
4⤵
PID:64

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
3⤵
PID:2956

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
4⤵
PID:1964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
3⤵
PID:4344

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 512504HP-TRGT16863SL
4⤵
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
3⤵
PID:3716

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 412504HP-TRGT16863FA
4⤵
PID:4004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
3⤵
PID:2884

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 612504HP-TRGT16863FU
4⤵
PID:4000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
3⤵
PID:4240

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 312504HP-TRGT16863DQ
4⤵
PID:2012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
3⤵
PID:4984

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 712504HP-TRGT16863MST
4⤵
PID:4356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
3⤵
PID:2620

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
4⤵
PID:4552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
3⤵
PID:204

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 12521HP-TRGT5069AB
4⤵
PID:1960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
3⤵
PID:584

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 212521HP-TRGT5069RV
4⤵
PID:4740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
3⤵
PID:4952

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 812521HP-TRGT5069SG
4⤵
PID:1336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
3⤵
PID:4860

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
4⤵
PID:4048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
3⤵
PID:4948

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 512521HP-TRGT5069SL
4⤵
PID:908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
3⤵
PID:640

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 412521HP-TRGT5069FA
4⤵
PID:4436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
3⤵
PID:2324

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 612521HP-TRGT5069FU
4⤵
PID:4496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
3⤵
PID:988

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 312521HP-TRGT5069DQ
4⤵
PID:216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
3⤵
PID:2272

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 712521HP-TRGT5069MST
4⤵
PID:196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
3⤵
PID:2396

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
4⤵
PID:4444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9SU9-B7AH
3⤵
PID:1640

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9SU9-B7AH
4⤵
PID:508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: UI4F-USB9
3⤵
PID:1792

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: UI4F-USB9
4⤵
PID:1176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: O4GF-4VV5
3⤵
PID:2524

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: O4GF-4VV5
4⤵
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 8R1V-UCPT
3⤵
PID:3184

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 8R1V-UCPT
4⤵
PID:2964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: DJBK-4UMS
3⤵
PID:2248

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: DJBK-4UMS
4⤵
PID:4264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 9UJ5-OZAC
3⤵
PID:3392

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 9UJ5-OZAC
4⤵
PID:4120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: T54F-9LB0
3⤵
PID:4188

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: T54F-9LB0
4⤵
PID:2960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: R37U-73CA
3⤵
PID:4148

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: R37U-73CA
4⤵
PID:4288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 93KF-TBUU
3⤵
PID:2992

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 93KF-TBUU
4⤵
PID:5012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: L2K0-9MTE
3⤵
PID:708

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: L2K0-9MTE
4⤵
PID:592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 3KS1-9IBV
3⤵
PID:4184

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 3KS1-9IBV
4⤵
PID:2932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: PHTO-BKJT
3⤵
PID:3192

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: PHTO-BKJT
4⤵
PID:1472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: N64Z-10MC
3⤵
PID:1336

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: N64Z-10MC
4⤵
PID:640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: 83G0-KMGV
3⤵
PID:4516

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: 83G0-KMGV
4⤵
PID:2352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: C7DA-1HPE
3⤵
PID:2288

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: C7DA-1HPE
4⤵
PID:4928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: LRAM-47N0
3⤵
PID:4276

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: LRAM-47N0
4⤵
PID:1264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: V524-PTIO
3⤵
PID:948

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: V524-PTIO
4⤵
PID:1868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 79HB-DLI9
3⤵
PID:3748

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 79HB-DLI9
4⤵
PID:4984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: NGZH-4N85
3⤵
PID:984

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: NGZH-4N85
4⤵
PID:3548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: ZVL1-1SJE
3⤵
PID:4552

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: ZVL1-1SJE
4⤵
PID:220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 6KU4-G7RA
3⤵
PID:4420

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 6KU4-G7RA
4⤵
PID:1576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: SM5I-6DLA
3⤵
PID:2008

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: SM5I-6DLA
4⤵
PID:2136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 00B2-I3V4
3⤵
PID:2524

C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 00B2-I3V4
4⤵
PID:3304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
3⤵
PID:3328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
3⤵
PID:2976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
3⤵
PID:4288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
3⤵
PID:372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
3⤵
PID:3388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
3⤵
PID:4520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
3⤵
PID:2932

C:\Users\Admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exe
"C:\Users\Admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\smss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\unsecapp.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6lE2IkKRbl.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3172

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:360

C:\Users\Public\Pictures\unsecapp.exe
"C:\Users\Public\Pictures\unsecapp.exe"
4⤵
PID:5044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rAhl4fNEA5.bat"
5⤵
PID:3592

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:5012

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2696

C:\Users\Public\Pictures\unsecapp.exe
"C:\Users\Public\Pictures\unsecapp.exe"
6⤵
PID:4876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DITavvsiMU.bat"
7⤵
PID:2884

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2524

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1412

C:\Users\Public\Pictures\unsecapp.exe
"C:\Users\Public\Pictures\unsecapp.exe"
8⤵
PID:2424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\updpj3XpIL.bat"
9⤵
PID:4988

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:3552

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:824

C:\Users\Public\Pictures\unsecapp.exe
"C:\Users\Public\Pictures\unsecapp.exe"
10⤵
PID:204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jKeWzk8OD4.bat"
11⤵
PID:4948

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:2236

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:208

C:\Users\Public\Pictures\unsecapp.exe
"C:\Users\Public\Pictures\unsecapp.exe"
12⤵
PID:5020

C:\Users\Admin\AppData\Roaming\conhost_sft.exe
"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"
2⤵
- Executes dropped EXE
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2396

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:2820

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:5028

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2880

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:620

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:780

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:4060

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
- Power Settings
PID:1372

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
- Power Settings
PID:2952

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
- Power Settings
PID:4944

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
- Power Settings
PID:356

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:2200

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:2876

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\bozscvkmidso.xml"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:4420

C:\Program Files\Google\Chrome\ChromeUpdate.exe
"C:\Program Files\Google\Chrome\ChromeUpdate.exe"
1⤵
PID:200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
- Command and Scripting Interpreter: PowerShell
PID:4628

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:3328

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:4020

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:3536

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:4164

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:3292

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:404

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
- Power Settings
PID:4572

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
- Power Settings
PID:5056

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
- Power Settings
PID:984

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
- Power Settings
PID:1176

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:2964

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\bozscvkmidso.xml"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:4264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
Filesize
452KB

MD5
c4d09d3b3516550ad2ded3b09e28c10c

SHA1
7a5e77bb9ba74cf57cb1d119325b0b7f64199824

SHA256
66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3

SHA512
2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

Download Submit
C:\ProgramData\Microsoft\Windows\DevManView.cfg
Filesize
1KB

MD5
43b37d0f48bad1537a4de59ffda50ffe

SHA1
48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8

SHA256
fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288

SHA512
cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82

Download Submit
C:\ProgramData\Microsoft\Windows\DevManView.exe
Filesize
162KB

MD5
33d7a84f8ef67fd005f37142232ae97e

SHA1
1f560717d8038221c9b161716affb7cd6b14056e

SHA256
a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b

SHA512
c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

Download Submit
C:\ProgramData\Microsoft\Windows\Disk.bat
Filesize
1KB

MD5
250e75ba9aac6e2e9349bdebc5ef104e

SHA1
7efdaef5ec1752e7e29d8cc4641615d14ac1855f

SHA256
7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516

SHA512
7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438

Download Submit
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\ProgramData\Microsoft\Windows\amifldrv64.sys
Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e3ee4c7aaddca79dbf4f301e4869b273

SHA1
05721282a5a5f7ccce1ffd2854af0d4358d93239

SHA256
5644a47ba60cad98277985d017391e6b98564f726d38cef7acda5657b6607733

SHA512
9e2748bc36d91c2bb645f620f6657f4cacf0c7d31beacaa01a205af5bcaf5e3b58aa745d4c2cc5397138aa8e7049e99e8e30305425e55207f154e77711920129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
95cd62d55c15f43e7a132b7f0fd87313

SHA1
84031c35808061cbf32b6ff83008b39e0cf36354

SHA256
866e790eaec392c6faa1001f45f381ff18d7da85b5606114e02938ae9638591d

SHA512
21c24b6650ab0c18bc26cc8140f903353c1341dfdea3addcfdea5955fab1cc32b7a61f95335e594586560b5d8e8dbabe09b0965586b7d2261a5317956f5bca8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bbb673277fae96ee4bc299672085e949

SHA1
731ccb1581a06bff2ca36ca46b20c91c9adc468c

SHA256
21a0a3c47eb15cec5d37688a67369836fda0164d0cd5afaa9a2aa52fb838685d

SHA512
aa0efc1683991ed68027f0fbd1dfcf0616dd0c328bd015cb43987411e454e0583e8cc1a45bc9f689e873007071e0923d9be10a6db689ba268a167f856b6a8425

Download Submit
C:\Users\Admin\AppData\Local\Temp\6lE2IkKRbl.bat
Filesize
165B

MD5
af1054756ba938a6ad2b78ebe3aae02b

SHA1
dc58b7d57b693e01498c2957f24737ef39d690fb

SHA256
a06036fdaa8607937c292d0952ee97277c5984d52954a2845d3a54e903083578

SHA512
db22f8f090fa84578a086990c37f49ecfae4a571dee043d0110373e25fd601a48b39a276aef82def1a105d4cbfb7106836d1db44932096ed36c1d2d960a2d5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtzjrcwf.rfo.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bozscvkmidso.xml
Filesize
1KB

MD5
11c4206f3a1782d15708f1197d3d5036

SHA1
a9bd700df93ff11f876a15e4cedc2a8ab3bf5d08

SHA256
cd4530040d181100ddb0ab7428e4c3e3a65e9b2cbb475706144666fd4db6ac55

SHA512
ab33e882edf236262ee3723f8f3e3ce79939cb4d86e73a81f796639b57e549b5b71b8bff99959db00ace30ce22b1d676718d903b50976f351dcdcfd587252bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAhl4fNEA5.bat
Filesize
165B

MD5
aed2ed3cee46497be5a262abb6f44847

SHA1
3e9159ea3e123fb2b530d6df329b5d0143cd5e3e

SHA256
d94654d7e9fc0256acfb0fc801248992e302413b2c7b15a2efe134802be8edd6

SHA512
b411c76c3074dd3f73d032b397154b532905525e27023a00696bdeb39cb6a6f527835746746781c5d308070b1482106902ea1d42fa9437aa9a58c409d4f7d240

Download Submit
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
Filesize
905KB

MD5
dd1313842898ffaf72d79df643637ded

SHA1
93a34cb05fdf76869769af09a22711deea44ed28

SHA256
81b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df

SHA512
db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9

Download Submit
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
Filesize
4.4MB

MD5
673b523777d7f575004e47668bcedfd2

SHA1
53fd77b4189dd696f942d6092ce96f9966c67f21

SHA256
b255fd532cb851be74f4d72ca572e34916d218138abdaf9cd5c41298f3aee903

SHA512
164fedbefad95fd3d785ed302a5ce890e13d48138e273ae4d66b3c4bd5b46d0095217d77e9c41f275a7d3efb4a885866788e44cfbafaf1a16b2c0099418b25dc

Download Submit
C:\Users\Admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exe
Filesize
859KB

MD5
d18283d6cfe1d4fd930f8b80ef786e86

SHA1
dfc7d3a930bbc69f3b0e54c9333ab991d79a85f6

SHA256
6d3fb4f323e7a18336f671001a885433418658e9ac244c6e9d8fb961340836b3

SHA512
c733e98328738a4664afdaf1dad6fa656064df68920c889b38c3d716b0d5d8f4d16a60b943e04f619a6445f0a66895caa3e0176465a531c738bc9995f0f1ae67

Download Submit
memory/200-816-0x00007FF6DEE80000-0x00007FF6DF2F8000-memory.dmp

Filesize
4.5MB

Download
memory/200-649-0x00007FF6DEE80000-0x00007FF6DF2F8000-memory.dmp

Filesize
4.5MB

Download
memory/920-68-0x0000000002490000-0x000000000249E000-memory.dmp

Filesize
56KB

Download
memory/920-13-0x00000000002A0000-0x0000000000378000-memory.dmp

Filesize
864KB

Download
memory/920-47-0x0000000002400000-0x000000000240E000-memory.dmp

Filesize
56KB

Download
memory/920-49-0x0000000002440000-0x000000000245C000-memory.dmp

Filesize
112KB

Download
memory/920-50-0x00000000024B0000-0x0000000002500000-memory.dmp

Filesize
320KB

Download
memory/920-52-0x0000000002460000-0x0000000002478000-memory.dmp

Filesize
96KB

Download
memory/920-54-0x0000000002410000-0x000000000241E000-memory.dmp

Filesize
56KB

Download
memory/920-195-0x00007FFF5DA70000-0x00007FFF5E45C000-memory.dmp

Filesize
9.9MB

Download
memory/920-64-0x0000000002420000-0x000000000242E000-memory.dmp

Filesize
56KB

Download
memory/920-66-0x0000000002480000-0x000000000248C000-memory.dmp

Filesize
48KB

Download
memory/920-70-0x00000000024A0000-0x00000000024AC000-memory.dmp

Filesize
48KB

Download
memory/920-14-0x00007FFF5DA73000-0x00007FFF5DA74000-memory.dmp

Filesize
4KB

Download
memory/920-21-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/920-22-0x00007FFF5DA70000-0x00007FFF5E45C000-memory.dmp

Filesize
9.9MB

Download
memory/976-561-0x00007FF7984F0000-0x00007FF798968000-memory.dmp

Filesize
4.5MB

Download
memory/976-627-0x00007FF7984F0000-0x00007FF798968000-memory.dmp

Filesize
4.5MB

Download
memory/1152-334-0x0000000009940000-0x000000000995A000-memory.dmp

Filesize
104KB

Download
memory/1152-34-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

Filesize
216KB

Download
memory/1152-97-0x00000000099B0000-0x0000000009A44000-memory.dmp

Filesize
592KB

Download
memory/1152-44-0x00000000085B0000-0x00000000085FB000-memory.dmp

Filesize
300KB

Download
memory/1152-43-0x00000000082A0000-0x00000000082BC000-memory.dmp

Filesize
112KB

Download
memory/1152-45-0x0000000008520000-0x0000000008596000-memory.dmp

Filesize
472KB

Download
memory/1152-348-0x0000000009930000-0x0000000009938000-memory.dmp

Filesize
32KB

Download
memory/1152-42-0x0000000007E90000-0x00000000081E0000-memory.dmp

Filesize
3.3MB

Download
memory/1152-37-0x00000000075A0000-0x0000000007606000-memory.dmp

Filesize
408KB

Download
memory/1152-38-0x0000000007710000-0x0000000007776000-memory.dmp

Filesize
408KB

Download
memory/1152-36-0x0000000007500000-0x0000000007522000-memory.dmp

Filesize
136KB

Download
memory/1152-35-0x0000000007810000-0x0000000007E38000-memory.dmp

Filesize
6.2MB

Download
memory/1152-96-0x00000000095F0000-0x0000000009695000-memory.dmp

Filesize
660KB

Download
memory/1152-89-0x0000000009470000-0x00000000094A3000-memory.dmp

Filesize
204KB

Download
memory/1152-91-0x0000000009450000-0x000000000946E000-memory.dmp

Filesize
120KB

Download
memory/1152-90-0x0000000073960000-0x00000000739AB000-memory.dmp

Filesize
300KB

Download
memory/3372-253-0x00000242EBAE0000-0x00000242EBB56000-memory.dmp

Filesize
472KB

Download
memory/3876-192-0x00000202A4240000-0x00000202A4262000-memory.dmp

Filesize
136KB

Download
memory/4264-829-0x00007FF721C40000-0x00007FF721C53000-memory.dmp

Filesize
76KB

Download
memory/4300-18-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/4300-0-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/4300-23-0x000000007FAD0000-0x000000007FEA1000-memory.dmp

Filesize
3.8MB

Download
memory/4300-1-0x000000007FAD0000-0x000000007FEA1000-memory.dmp

Filesize
3.8MB

Download
memory/4628-680-0x00000281F7F00000-0x00000281F7F1C000-memory.dmp

Filesize
112KB

Download
memory/4628-686-0x00000281F81D0000-0x00000281F8289000-memory.dmp

Filesize
740KB

Download
memory/4628-719-0x00000281F7F20000-0x00000281F7F2A000-memory.dmp

Filesize
40KB

Download